On Thu, 27 Nov 2008, Michael Richardson wrote:
> You are. It's all ready.
>
> DNSSEC can be done in the plenary by changing the recursive servers.
> It's pretty close to being completely apt-get/yum/pkg_add able as being
> on. What's missing is someone to decide what are the set of TAs to
> use...
Even that is done with autotrust and dnssec-keys packages. The only
thing that needs to happen is for someone at the distribution to flip
the switch. (dnssec-keys package allows that for Fedora/RHEL machine by
using a simple dnssec-configure command, including DLV support)[*]
The problem is really that there are not many signed zones out there that
are reachable. As I talked at IETF-73 with people such as Roy and Sam, there
is not really any benchmarking one can do. One can benchmark DNS and one
can benchmark crypto, but benchmarking DNSSEC is not the sum of those two.
Without the additional signed zones, the IETF Plenary testing really just
becomes a much smaller version of a bind/unbound test at a large ISP. We'd
be better of asking COMCAST to give a presentation about their experience
enabling DNSSEC on their resolvers.
And I think testing key rollover during the Plenary might be too disturbing
for the plenary itself if it breaks.
Paul
[*] That and hardware crypto acceleration is basically our DNSX Secure
Resolver appliance due Q1 2009.
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf